Search form

In May 2018, Vistra acquired Radius, making it the number one international expansion services provider in the US. Vistra International Expansion now has more than 1,300 experts working in more than 40 jurisdictions to help you explore new markets and reduce the risk and complexity of global operations. Visit our new website.

Important Lessons From Germany’s First GDPR-Related Fine

Share

Germany has issued its first GDPR fine. The penalty underscores the willingness of data protection authorities to enforce the law, but its relatively low amount — just 20,000 euros, or less than $23,000 — may also indicate leniency for companies that report violations promptly, fully comply with authorities and swiftly take action to fix the problem.

The fine was levied against social media chat app Knuddels, which failed to encrypt the personal data of some of its customers. The site was breached in July, and the hack was discovered in September, when 330,000 customer email addresses and passwords were posted on the internet.

According to German magazine Der Spiegel, a total of over 800,000 email addresses and 1.8 million user names are suspected of being stolen, though only the 330,000 cases have been verified so far. Some customers used their real names and listed their home addresses on the site. Whether that information was taken is still unclear.

Founded in 1999, Knuddels is one of the oldest and largest German chat platforms. It began encrypting user passwords in 2012, but continued to save the old, unencrypted versions on a backup server with an outdated operating system. After learning of the breach, the company deleted its database of unencrypted user information and notified the local Baden-Württemberg data protection authority about the breach.

The company also apologized for its actions, promptly notified customers and had them change their passwords and made extensive changes to improve its data security. It has plans to make further technology improvements in the coming weeks.

“Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack," said Stefan Brink, the data protection and freedom of information officer for Baden- Württemberg, in a statement.

Significantly, he added that regulators are “not interested in entering into a competition for the highest possible fines. The bottom line is improving privacy and data security for users.”

Given the possible penalties involved, Knuddels’ fine itself was effectively a slap on the wrist. Depending on the severity of the incident, the GDPR allows for fines of up to 20 million euros or 4 percent of annual revenue.

That said, it’s critical for multinationals to understand that while the fine in this case made headlines in part for its leniency, there were other costs involved. Knuddels’ prompt actions, for example, represent what must have been serious administrative burdens. It is also common in such cases to incur legal and other third-party costs, such as those related to PR. Finally, there may be reputational costs which, while difficult to measure, can be significant, particularly over the long term.

Other Euro Fines

While being forthcoming about mistakes and acting quickly to improve security may help reduce fines, it won’t stop authorities from enforcing the law, and Germany is not the first country to act.

A Portuguese hospital was fined 400,000 euros for giving too many users access to patient data. Nearly a thousand users had physician-access rights, while fewer than 300 doctors were employed at the hospital. The hospital is appealing the fine.

An Austrian retailer was fined 4,800 euros for using a surveillance camera that captured too much of the sidewalk outside. In addition, the camera didn’t warn passers-by that they might be recorded.

Going After Big Game

These fines may be the tip of the iceberg for GDPR enforcement. Complaints have been filed against several major technology companies about the way they track users.

Privacy International, a UK-based nonprofit, has filed GDPR complaints against seven corporations, including data brokers Acxiom and Oracle, credit bureaus Equifax and Experian, and several ad tech companies. These firms use cookies and IP addresses to track users without obtaining adequate permission, the group and other privacy advocates say.

A separate complaint was filed against Google and other ad tech companies, claiming that current online advertising technology — which affects most internet users — violates European privacy standards. The complaint says that when someone is shown a personalized ad online, what they are watching is broadcast to a host of other ad companies in an attempt to get them to bid on targeting the individual. The complaint says that procedure violates privacy under the GDPR. If complaints like this are found to be valid, they could upend the current business model that supports most sites.

Another group has filed complaints against Google for tracking user location even when the “Location History” option is turned off (users must adjust an additional setting to disable location tracking).

Facebook, which was fined 500,000 pounds for the Cambridge Analytica scandal, could be hit with a billion-dollar fine after the data of up to 30 million users was exposed through a bug in the platform’s “View As” feature. The problem has since been fixed.

Another complaint was filed against Facebook shortly after GDPR went into effect in May for not obtaining adequate opt-in consent from users for data collection.

Twitter is being investigated by GDPR authorities for failing to disclose to users how their information is tracked when they click links.

What to Do

What these companies have in common — besides their size and notoriety — is their alleged failure toobtain permission before collecting data and failure to explain how the collected data will be used, both key provisions of the GDPR.

Multinationals that collect information about customers or employees in the EU should review the GDPR with a focus on permission and explanation procedures. It’s important to remember that you are also responsible for ensuring that your partners and contractors follow the law.

While the GDPR’s protocol for a data breach is straightforward, the language surrounding permission and consent has been accused of being murky and ambiguous. This may be a deliberate measure designed to give companies choices about how they achieve the law’s aims. Authorities’ reaction to existing complaints will shed more light on enforcement and expectations.

In the meantime, for a data breach, the Knuddels fine makes it clear that intention and attitude matter a lot. While prompt reporting and corrective action won’t help you avoid a fine — or some of the related costs mentioned, such as administrative burdens and legal fees — it appears that regulators are trying their best to make the punishment fit the crime.

Join hundreds of global business leaders who receive weekly international expansion updates and need-to-know global information.

All types

Japan’s law on data privacy, Act on the Protection of Personal Information ( Act no 57 of 2003), so far has not been subject to amendment. A new bill intended to plug many of the holes in the existing Act has been submitted for review.

The General Data Protection Regulation (GDPR), expected to pass in the European Parliament within the week and take effect in 2017, will enforce opt-in requirements for data collection and a “right to be forgotten” that gives consumers total transparency and control over how their personal data is used.

In order to create a unified data protection code across the European Union, the Data Protection Reform agreed upon yesterday will take the form of an EU Regulation, called in this case the General Data Protection Regulation (GDPR). In contrast to the soon-to-be superseded Directive 95/46/EC, the GDPR will be directly applicable across all EU member states, each of which must apply the same rules. Let’s take a look at what this all means for businesses operating in the EU.